CI: fix remaining zizmor template-injection findings#6450
Conversation
Move ${{ inputs.build_mode }} and ${{ runner.workspace }} out of
run: blocks into step-level env: blocks in the four VOL workflow
files flagged by zizmor. Replace ${{ github.workspace }} with the
built-in $GITHUB_WORKSPACE env var directly.
These are workflow_call reusable files so inputs.build_mode is not
attacker-controllable, but the fix removes all zizmor findings and
leaves the Security tab clean for future PRs.
brtnfld
requested review from
glennsong09,
hyoklee,
jhendersonHDF and
lrknox
as code owners
Review ChecklistThis PR touches the following areas. Each needs at least one
|
|
All of these are passed in from vol.yml and can't be injected, these are just false positives. |
|
The issue is to eliminate false-positive noise, so that if a real issue appears later, developers are not already trained to dismiss it. I can have zizmore only scan files that can be directly triggered by external users |
|
Closing in favor of the approach in #6447. The VOL workflow files (vol_log, vol_rest, vol_ext_passthru, vol_cache) only have |
github-project-automation
Bot
moved this from To be triaged
to Done
in HDF5 - TRIAGE & TRACK
2 participants
Summary
Fixes the 22 remaining open zizmor
template-injectionalerts in the Security tab, all in four VOL workflow files:vol_log.yml(8 findings)vol_rest.yml(7 findings)vol_ext_passthru.yml(4 findings)vol_cache.yml(3 findings)Changes per file: move
${{ inputs.build_mode }}and${{ runner.workspace }}out ofrun:scripts into step-levelenv:blocks; replace${{ github.workspace }}with the built-in$GITHUB_WORKSPACEenv var directly.Once this and #6447 merge, the Security tab will be clean — any future zizmor finding will be a real signal rather than pre-existing noise.